California Consumer Privacy Act

California recently passed legislation the California Consumer Privacy Act (CCPA), which beefs up protections on consumer privacy and gives more power to consumers when it comes to managing the personal information that an organization collects and uses. Companies making connected products should take this legislation seriously and make sure to be compliant by January 2020.

You May Be Compliant Already

In May 2018, EU regulations called GDPR, which focused on consumer privacy, went into effect. If you are GDPR-compliant, you are likely already in accordance with the California Consumer Privacy Act.

If you are at a multinational corporation, you have already done the work to be compliant with GDPR. However, US-based companies that do not sell into Europe (or are not subject to GDPR for any reason) may be at risk of being unprepared for customer requests for data and fines if there’s a data breach that compromises that data.

How California Consumer Privacy Act compares to GDPR

The California Consumer Privacy Act looks like a watered-down version of GDPR. One big difference is that it appears that with CCPA, consumers can be automatically opted in versus having to expressly give consent when it comes to collecting personal data. In the CCPA, the only language around opt-in is in regards to data of children under the age of 16 years old.

Also, unlike GDPR, it is not required for a company to stop collecting information at a customer’s request. Rather, the product company must stop selling or sharing that data if the customer asks for that.

How CCPA Affects Connected Product Companies

The legislation empowers your customer to own, manage and delete their private data, understand the use of their private data and prohibit your company from selling or sharing their personal data. It requires that businesses that collect sensitive data take the steps necessary to keep it safe and face consequences if they do not.

It is yet an added layer to complexity for connected product manufacturers. But in a world where we are headed for more regulation around privacy and security, it is to be expected.

The most critical action item is to ensure that there are systems and mechanisms in place to retrieve your customer’s personal data in a scalable way and deliver it to them (you could have to do it up to two times a year, at no cost to the customer.)

Details on CCPA

The California Consumer Privacy Act will go into effect on January 1, 2020.

Enforcement of California Consumer Privacy Act is via a private right of action (consumer lawsuits) for data breaches, with the rest of the act subject to enforcement by the California Attorney General, at up to $2,500 per violation.

Under the California Consumer Privacy Act, only businesses that sell 100,000+ consumer records each year, derive half or more of their annual revenue by selling your personal information, or earn $50,000,000 a year in revenue, must comply.

All businesses must comply if they collect or sell Californian’s personal information, whether they are located in California, a different state or even a different country.

Looking Forward

There are many consumer concerns on privacy and security. Use 2019 as the year to get your ducks in a row. If you aren’t already, make sure that your company is equipped to handle the requirements of the new legislation.

Your customers will come to expect more transparency, so start soon and build trust with your customers - not only will your customers appreciate it, but in the near future, it will be law.

Disclaimer: I am not a lawyer. This blog post is for informational purposes only and should not be seen as any kind of legal advice. Before taking any action, be sure to speak with your legal team to formulate your plan on compliance with any regulation.